How do I insert "CDS 0 0 0 0"?

Mark Andrews marka at isc.org
Sun Oct 4 13:27:50 UTC 2020 

All the fields must exist.  NET_DNS2 is wrong.

There must only be the delete cds/cdnskey records and not any other cds/cdnskey records. Publish and delete instructions at the same time is not consistent.

-- 
Mark Andrews

> On 5 Oct 2020, at 00:02, Mark Andrews <marka at isc.org> wrote:
> Use up to date software. 
> 
> -- 
> Mark Andrews
> 
>>> On 4 Oct 2020, at 23:48, Mark Elkins <mje at posix.co.za> wrote:
>>  What is the magic incantation to inserting a "CDS 0 0 0 0" record in BIND.
>> Version - BIND 9.16.6 (Stable Release)
>> I've read RFC8070 - which says...  (https://tools.ietf.org/html/rfc8078)
>> The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
>>    contain the exact fields as shown below.
>> 
>>       CDS 0 0 0 0
>> 
>>       CDNSKEY 0 3 0 0
>> 
>> In Knot docs... https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf
>> it says...
>> 
>> DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually
>> 
>> In https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf it says...
>> 
>> A child zone can also signal to turn off DNSSEC by removing the DS record set in the parent zone.
>> In this case, the operator may publish a special CDS record which must exactly match:
>> CDS 0 0 0 00
>> 
>> 
>> I have a zone called "nodnssec.edu.za".
>> 
>> In a text zone - if I add:-
>> 
>> CDS     0 0 0 0
>> 
>> I get:-   (from running: /usr/sbin/named-checkconf -z /etc/bind/named.conf | grep nodnssec)
>> 
>> _default/nodnssec.edu.za/IN: bad hex encoding
>> dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding
>> zone nodnssec.edu.za/IN: loading from master file db.nodnssec.edu.za failed: bad hex encoding
>> zone nodnssec.edu.za/IN: not loaded due to errors.
>> 
>> CDS     0 0 0 00   gives me.... 
>> 
>> _default/nodnssec.edu.za/IN: bad CDS
>> zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed
>> zone nodnssec.edu.za/IN: not loaded due to errors.
>> 
>> I've also tried a null string - CDS     0 0 0 ""    - no joy.
>> 
>> So what should I add?
>> 
>> I've seen a record hosted by Cloudflare.... for revolution.edu.za, DIG shows that as "CDS     0 0 0 00" and the NET_DNS2 software shows it as...  "CDS     0 0 0 " (no digest at all).
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> -- 
>> Mark James ELKINS  -  Posix Systems - (South) Africa
>> mje at posix.co.za       Tel: +27.826010496
>> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>> 
>> 
>> 
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201005/e01ba57d/attachment-0001.htm>

More information about the bind-users mailing list